ReadWriteWeb

Facebook Security Lapse Leaves Private Photos Exposed, Even Paris and Zuck's

Written by Marshall Kirkpatrick / March 24, 2008 6:45 PM / 10 Comments
« Prior Post Next Post »

The Associated Press reported this afternoon that its reporters were able to use an undisclosed method to access private photos on Facebook, including some from Paris Hilton at the Emmys and others from Facebook founding CEO Mark Zuckerberg's vacation in November of 2005. (They did not publish any of those photos, but Paris uses Facebook for real - confirmed!)

If that was Zuckerberg's last trip outside of work, he'd better not schedule more any time soon. Privacy controls have been the defining feature of Facebook's past success and are central to the company's plans for the future. Update: Some readers here and on Twitter are telling us that it's a simple URL edit that has exposed these photos for months, much like was the case with MySpace in January. It does appear that that particular method of accessing these photos no longer works.

The AP reported the security exploit to Facebook this morning and says the company appears to have patched it by late in the day. We found the story via social news site Mixx.

Privacy has been an essential, defining characteristic of Facebook's rapid growth and is something users defend loudly. Sometimes perceived privacy violations can be apologized for and quietly moved beyond, as was the case with the launch of the Beacon advertising platform, and at other times perceived privacy violations can cause a huge uproar that gets replaced with user acceptance - as happened with the Newsfeed.

Such will not be the case with today's breach. It appears to have been simply a technical inadequacy. The hole was discovered and shared with the AP by "computer technician" Byron Ng. (Incidentally, the AP says Ng lives in Vancouver but the only Canadian Facebook user by that name lives on the other side of the country. Or does he?) The AP says Ng was testing Facebook's even more powerful privacy features rolled out last week. (In fact, if the rumored URL hack is the method in question, it's all quite simple. Way to go Byron Ng for getting some serious publicity, though.)

When we interviewed Facebook CEO Mark Zuckerberg at SXSW he said that the company's key contribution to the important movement for Data Portability would be to nail down the privacy angle. He pointed out, and rightly so, that users will feel far more secure sharing their data online and across different sites, if they can do so with the assurance that they have control over who can see that data.

It's reminiscent of a story that was reported this January - about putting User IDs into the URLs of private photos on MySpace in order to view them. That breach was said to have been discussed around the web for months before MySpace did anything about it. If this was the same opening available at Facebook - couldn't someone have there have said "hey, you can do that here too?"

It's tempting to say that breaches like this are an obstacle to ongoing user adoption of online services. At the same time, how often are credit card numbers exposed? The convenience of online shopping mitigates the impact of those stories. The same may or may not be true with online social networking.

That's probably enough said on the matter. Just try to make sure it doesn't happen again, ok?

« Prior Post Next Post »
Posted in and tagged with

Related Entries

Comments

Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts

  1. "...it doesn't happen again, ok?" :-)

    Posted by: 113.com | March 24, 2008 7:18 PM



  2. This flaw has been publicly known for weeks (which I report as an example of how poorly Facebook takes user privacy, not as a correction to your story). Really crazy. They weren't checking user permissions for photo pages. If you could guess the ID of a photo, you could view that photo. Worse, they gave you ways to determine the ID of a recent photo. And once you viewed a private photo in the album, the previous/next links worked, showing you the rest of the private photos in that album!

    Here is a tutorial, from late February (AP is reporting that the flaw was fixed, so hopefully this doesn't still work.)

    Posted by: Mark Jaquith | March 24, 2008 7:28 PM



  3. Verified that they fixed it:

    The page you requested can not be displayed right now. It may be temporarily unavailable, the link you clicked on may have expired, or you may not have permission to view this page.

    BUT you can still see private photos in which you are tagged, even if you were omitted from the permissions list. I created a new album on my wife's account, and blocked all her networks, and all her friends except one (not me). I added one picture of me, then tagged myself in it. On my account, it announced the photo to me with a thumbnail and I was able to view it. At no time did it warn me (on her account) that by tagging the photo I was expanding the permissions on that photo. Not a huge flaw, but still -- if people are going to trust these privacy settings, they need to be bulletproof.

    Posted by: Mark Jaquith | March 24, 2008 7:58 PM



  4. Hah ! I wonder how many other celebs use Facebook to keep up to speed with their friends :)

    Posted by: Ehab | March 25, 2008 2:04 AM



  5. it's nice that you linked to the wired story but don't pretend it wasn't wired which reported that story. as a matter of courtesy, you should mention the publication by name. let's not be catty about it. on the whole, i like your site, but don't fall into bad habits, a la "techdirt"

    Posted by: wired guy | March 25, 2008 6:59 AM



  6. Which Paris Hilton photos can you find on FaceBook that you cannot find by googling? Not many, I was guessing! :-)

    Posted by: sandybutt | March 25, 2008 8:13 AM



  7. This reminds me of a far worse security problem that happened to a site called 'millionaire match' a couple of years ago.

    The same problem was identified, but it worked with profile editing. A user worked out that the php ?userID was the only requirement to get into the profile. This incredibly also included the users home address, and credit card details.

    This 'hack' was posted on a popular message board, and many posters went nuts changing people profiles (changing their photos etc). Luckily as far as anyone could tell nobody tried to mess with the credit cards, but it could easily have been done.

    You'd have though programmers would have learned not to do that by now, huh?

    Posted by: sdrio | March 25, 2008 10:11 AM



  8. I've been making use of this loophole for over a year to send pictures to people. Here are two examples of its use in 2007 (one of the URLs is now dead):

    http://www.cs.bham.ac.uk/~bas/fb.jpg

    Posted by: Ben Smyth | March 26, 2008 3:14 AM



  9. Rule of thumb is be careful what you post on these sites. Keep your private information private...

    Posted by: Jen | March 26, 2008 10:22 AM



  10. very useful article...great and thanks for sharing with us

    Posted by: elena | March 31, 2008 8:01 AM



The ReadWriteWeb Online Community Management Guide
RWW SPONSORS


FOLLOW RWW ON TWITTER




RECENT JOBS


POPULAR TAGS


TEXT LINK ADS